AI cyberattacks on retailers rise ahead of holiday season

Imperva, a Thales company, has released a recent analysis that highlights the increasing risk of AI-driven cyberattacks targeting online retailers, particularly as the holiday shopping season approaches.

The six-month analysis from April 2024 to September 2024 reports that retail websites are subjected to an average of 569,884 AI-driven attacks each day. These originate from AI tools such as ChatGPT, Claude, and Gemini, including specialised bots created to extract data for Large Language Model (LLM) training.

The analysis indicates that business logic abuse is the most prevalent form of AI-driven attack, accounting for 30.7% of such threats. This involves cybercriminals exploiting the legitimate functionalities of applications or APIs to conduct malicious activities like price manipulation and discount code abuse. Imperva advises that retailers implement strict validation of user inputs and employ anomaly detection systems to mitigate these attacks.

Distributed Denial of Service (DDoS) attacks represent 30.6% of AI-driven threats, with the objective of overwhelming website resources, leading to downtime, lost sales, and reputational harm. Imperva suggests that retailers invest in machine learning-driven DDoS protection solutions to identify and filter malicious traffic efficiently.

Bad bot attacks are responsible for 20.8% of AI-driven threats against retailers. These bots are involved in activities such as scraping pricing data, credential stuffing, and inventory hoarding. The 'Grinch bot', notorious for its holiday season inventory hoarding, is mentioned as a significant threat. To counter these, retailers should leverage behavioural analytics in their bot management strategies.

API violations, accounting for 16.1% of AI-driven threats, are on the rise as eCommerce platforms integrate more APIs for mobile applications and third-party services. Cybercriminals take advantage of API vulnerabilities to obtain unauthorised access to sensitive data. Imperva stresses the importance of enforcing stringent authentication protocols and conducting thorough security assessments to protect APIs.

Nanhi Singh, General Manager of Application Security at Imperva, warned, "While cybersecurity threats are a concern year-round, they become even more pronounced during the holiday shopping season, when retailers often experience record-breaking sales.

"Cybercriminals recognize this and are using generative AI tools and LLMs to capitalize on the increased volume of digital transactions, limited-time promotions, and the gift cards and loyalty points stored in customer accounts."

Singh further added, "In previous years, we've seen security threats like Grinch bots and DDoS attacks cause major disruptions during the holiday shopping season, affecting both retailers and consumers alike. Now, with the widespread availability of generative AI tools and LLMs, retailers are contending with a new wave of sophisticated cyberthreats.

"Without robust defenses, retailers risk facing a perfect storm of AI-driven attacks that could disrupt operations, compromise customer data, and tarnish their reputations during the most critical time of the year.

"To effectively mitigate these threats, retailers must adopt a comprehensive strategy that not only defends against these attacks but also allows them to respond swiftly without disrupting the shopping experience."

The report underscores the risks these AI-driven threats pose not just for retailers but also for consumers, as they can lead to identity theft, financial loss, and decreased trust in eCommerce platforms. As cybercriminals exploit these advanced technologies, retail sectors are urged to upgrade their cybersecurity measures to safeguard both business operations and customer data during this peak shopping period.